Snort mailing list archives

Re: snort install info hyperlink

From: Peter Bates <peter.bates () ucl ac uk>
Date: Tue, 16 Oct 2012 09:03:50 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 16/10/2012 07:50, kevin zhang wrote:

hello all
OS:CENTOS 6.3 X64
SNORT 2.9.3.1
I run snort in IDS mode ,,there have a little WARNING

WARNING: flowbits key 'file.autodesk_max' is set but not ever checked.
WARNING: flowbits key 'file.crx' is set but not ever checked.


This is mostly just a WARNING that can be safely ignored - the rule
will still trigger (unless it has been set to noalert in the rule itself).

WARNING: flowbits key 'backdoor.y3krat_15.client.response' is checked
but not ever set.
WARNING: flowbits key 'dce.spoolss.4.call' is checked but not ever set.


These are slightly different - these rules will never fire because they're
looking for flowbits that, as the message says, are never set.

I'd recommend you use PulledPork to manage your rules as this handles the
flowbit resolution for you - however you do still see the first type
(set but not ever checked) but you shouldn't see the second when using PP.

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division         Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQfRTmAAoJELhVoVpEMS6RKv4IAKpG9rrr8g+04KrYQeRpxtdk
spKKeO6j02TnA1bmrsVkVqO92iOR+c/cUpDzmFXrt3ukQzFZ+yN6UkOI9bE9KvCf
ghLOkJ648AuHwydedb5PP/OQ8ysGbgVTrTA5CRu9LzxvO1SpsMwN+5thFFVphTym
Z3+GStLTpHYfCQO8G+rQli71fcZHwlHU8bLlCDC2GzRj3QJqyFSVLD6d8qrZSS3P
Kv2LOfnUh7plb8kLv3OZAEyu9y6AFsBBZbjjCpaO59rI8Nk70QiRSEvQc6EWlaLI
YpXSIv4r0MjI+CJnwSOZG6AYfykenIJFWdbMthmH2b2eurJsGSbxdLsiS7c+4PU=
=1kAy
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

snort install info hyperlink kevin zhang (Oct 15)
- Re: snort install info hyperlink Peter Bates (Oct 16)
- Correllation resources Justin (Oct 16)
  - Re: Correllation resources Joel Esler (Oct 16)